Access to SharePoint sites is controlled through the authentication settings in IIS. The default setting is to use Windows integrated authentication, but sites can also use digest or basic authentication.

Digest authentication is used when SharePoint is installed in Active Directory mode (as when configured for use by an ISP). Basic authentication sends user name and password information as text, which provides less protection for that information but allows it to pass though a network firewall.

In addition, the security settings in the site's web.config file can control which users are allowed or denied permission to access the site. For example, the following settings only allow access to users with Administrative privileges on the server:

   <authentication mode="Windows" />
   <authorization>
         <allow roles="Administrators" />
         <deny users="*" />
   </authorization>
   <identity impersonate="true" />

The roles attribute above refers to the Windows account group, not the SharePoint group. You can use allow and deny element to add or remove specific roles or users. For example the following element blocks the BeigeBond from access the site:

   <deny users="WOMBAT1\BeigeBond" />

The impersonate attribute determines the identity used to run applications within the SharePoint site. In this case, SharePoint .aspx pages and web parts execute using the permissions granted to the user's account.

Once a user is authenticated, SharePoint uses the members list stored in the site's ...